RSM NIS2 advisory services support your company in preparing to comply with the NIS2 Directive, ensuring your Hungarian entity will be ready to meet the cybersecurity regulations. With our NIS2 maintenance support service, we continue to assist after the audit to ensure that compliance is not a one-off project, but a sustainable, up-to-date and auditable practice in the long term.

NIS2 audits are now taking place in practice in 2026. Our NIS2 auditor/statutory auditor professionals have up-to-date, hands-on NIS2 audit experience, and our clients supported through our NIS2 preparation have successfully completed their first-round audits.

What is NIS2?

The NIS2 Directive (NIS2 Directive - Network and Information Systems Directive 2) marks a new milestone in cybersecurity. NIS2 establishes a unified high-level cybersecurity framework across the European Union aimed at strengthening the preparedness of member states and affected organizations to defend against cyber threats.

Cybersecurity is one of the most critical challenges today and the NIS2 Directive is a key step in protecting digital infrastructure.

The NIS2 Directive requires organisations providing essential or digital services to comply with stringent cybersecurity requirements and inform national authorities of cybersecurity incidents.

During RSM's NIS2 advisory services our experienced IT audit specialists - as part of our audit business line - support your preparation to comply with the NIS2 Directive requirements helping your company meet cybersecurity standards.

Compliance with the NIS2 directive - how can RSM Hungary help?

During RSM's NIS2 advisory services our experienced IT audit specialists support the preparation of Hungarian companies to comply with the requirements of the NIS2 Directive. We help your firm to meet cybersecurity requirements.

In relation to RSM’s NIS2 advisory we provide the following services:

NIS2 GAP analysis:

  • We assess the current operational status of your organization.
  • We identify the differences between your current status and regulatory requirements.
  • We prepare a detailed report on the identified cybersecurity deficiencies.

NIS2 advisory:

  • We assess the current cybersecurity status of the organization.
  • We identify the differences.
  • We assess relevant IT risks.
  • We prepare a risk-based action plan to correct deficiencies.

NIS2 Preparation:

  • Security classification
  • GAP analysis
  • Risk assessment and treatment action plan
  • NIS2 compliant policies
  • Awareness trainings
  • Audit support

NIS2 Maintenance Support:

Following successful preparation and the first audit, maintaining NIS2 compliance becomes an ongoing professional task. During the next audit, not only the existing documentation will be reviewed, but also whether it has been regularly updated, whether operations are traceable, and whether management oversight has been in place.

As part of our service, we support our clients in ensuring that NIS2 compliance is not treated as a one-off project, but as a sustainable and consistently functioning practice.

  • Regular review and update of risk assessments
  • Updating NIS2 policies and procedures and tracking changes
  • Evaluation of the operation and effectiveness of security measures
  • Support in defining KPIs, KRIs and other security metrics
  • Incorporation of lessons learned from incidents, deficiencies and audit findings
  • Support in preparing NIS2 management and audit reports
  • Preparation for authority or certification body inquiries
nis2 services

NIS2 – who falls within the scope?

The NIS2 Directive does not apply directly to Hungarian companies but EU Member States including Hungary must integrate it into their own national legal systems.

In Hungary the implementation centers on the Cybersecurity Act (Act LXIX of 2024),the Decree No. 418/2024. (XII. 23.) and the supervisory authority (SZTFH). The Cybersecurity Act describes in detail the national regulations of cybersecurity certification and supervision while the authority’s role is to monitor compliance with cybersecurity regulations. The companies affected by NIS2 are regulated in Annexes II and III of the Cybersecurity Act which lists critical sectors covered by the act.

The sectors considered strategically highly critical under the NIS2 Directive are as follows:

  • Energy and energy management
  • Transport and logistics
  • Healthcare and the pharmaceutical industry
  • Water and wastewater
  • Banking and financial services
  • Telecommunications services and digital infrastructure
  • Outsourced ICT services
  • Ground-based infrastructure supporting space operations

Based on size criteria the regulation applies only to medium-sized and large companies with at least 50 employees or a revenue of 10 million euros.

Size rules do not apply to electronic communications trust DNS service providers top-level domain name registrars or domain name registration service providers.

Nis2 kritikus szektorok

Under Act LXIX of 2024 organisations operating in critical sectors are required to implement several security measures which are defined in a decree by the minister responsible for IT.

Check your NIS2 involvement - NIS2 Calculator

With RSM’s NIS2 calculator you can check your company’s NIS2 involvement.

Check your NIS2 involvement with the help of the rsm's NIS2 calculator!

What are the NIS2 requirements in Hungary?

Hungarian Act LXIX of 2024 aims to keep pace with digital transformation and ensure the security of electronic information systems and their physical environments.

The requirements for NIS2-affected organizations are as follows:

1. Registration:

Based on the previous law, the affected organizations had to register from January 1, 2024 in Hungary. Organizations that commenced operations before 1 January 2024 were required to register until 30 June 2024. For all other organizations a 30-day registration deadline applies in accordance with the Cybersecurity Act.

2. Security classification of electronic information systems:

Affected organizations must classify their electronic information systems into appropriate security classes.

3. Obligation to pay supervisory fees and implement appropriate protective measures.

4. Contract with an auditor:

Affected organizations must sign a contract with a selected NIS2 auditor.

NIS2 deadlines in Hungary - what to pay attention to?

  • By June 30, 2026: In the case of organisations that commenced their operations before January 1, 2025, the selected auditor must complete the first cybersecurity audit. For all other organisations, a period of two years is available for this under Section 16(2)(b) of the Cybersecurity Act.
  • Until 31 December 2025: For those organizations which started their activities before 01.01.2025, the selected auditor conducts the first cybersecurity audit. In the case of all other organizations, two years are available for this based on the Act LXIX of 2024.
  • Until 15 February 2025: All organizations that registered to the authority must report the list of EU member states where the organization provides services.
  • From 18 October 2024: Organizations affected by NIS2 should implement security measures in accordance with the appropriate security class of their electronic information systems and pay the supervisory fee to SZTFH.
  • Until 30 June 2024: All organizations affected by NIS2 had to self-identify and apply for registration by completing the SZTFH 420 form. New companies have 30 days after becoming subject of the Act to submit an application.
  • The Act LXIX of 2024 within 120 days after registration, a contract must be concluded with an accredited audit organization listed on the SZTFH website.
NIS2 határidők

NIS2 sanctions in case of non-compliance with cybersecurity regulations

If an organization under the NIS2 Directive does not meet the requirements of the NIS2 Directive in Hungary it may face significant financial consequences.

For companies providing key services fines can reach 10 million euros or 2% of annual global revenue while for organizations providing important services this amount can be 7 million euros or 1.4% of the previous year's revenue.

The extent of cybersecurity fines and detailed related rules for non-compliancy to the Cybersecurity Act and other Hungarian NIS2 regulations are determined in Appendix III of Decree no. 418/2024. The affected organisation must pay the NIS2 fines within 8 days, and in the case of multiple violations, the penalty is maximised to the sum of maximum fines that can be imposed of the non-compliancies. The fine may be reimposed after the deadline has expired.

If the company does not comply with the requirements of NIS2 set out in the Cybersecurity Act, the certifying authority warns the organisation to correct the deficiency by a deadline. If the organisation still does not meet the requirements after the deadline, the authority may impose a penalty appropriate to the degree of irregularity and may be repeated in case of subsequent non-compliance. Compliance with the regulations is supervised by SZTFH. The aim is to ensure that organizations operating critical infrastructure are better prepared for cyber threats and take timely steps to ensure compliance. Therefore it is crucial for companies to start implementing the necessary measures now.

More information